Total
316927 CVE
| CVE | Vendors | Products | Updated | CVSS v2 | CVSS v3 |
|---|---|---|---|---|---|
| CVE-2025-60892 | 2025-11-04 | N/A | 6.8 MEDIUM | ||
| An issue in Raspberry Pi Imager version 1.9.6 for Windows, affecting its OS customization feature. The imager's 'public-key authentication' setting unintentionally re-adds a user's id_rsa.pub key from their local Windows machine to the authorized_keys file on the Raspberry Pi, even after the user explicitly deletes the key from the user interface. This creates an unintended attack surface, as it could allow an attacker to use a different key than the intended one to login to the device. | |||||
| CVE-2025-64363 | 2025-11-04 | N/A | 7.5 HIGH | ||
| Improper Control of Filename for Include/Require Statement in PHP Program ('PHP Remote File Inclusion') vulnerability in SeventhQueen Kleo kleo allows PHP Local File Inclusion.This issue affects Kleo: from n/a through < 5.5.0. | |||||
| CVE-2025-63469 | 2025-11-04 | N/A | 7.5 HIGH | ||
| Totolink LR350 v9.3.5u.6369_B20220309 was discovered to contain a stack overflow via the ssid parameter in the sub_421BAC function. This vulnerability allows attackers to cause a Denial of Service (DoS) via a crafted request. | |||||
| CVE-2025-64356 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
| Missing Authorization vulnerability in f1logic Insert PHP Code Snippet insert-php-code-snippet allows Exploiting Incorrectly Configured Access Control Security Levels.This issue affects Insert PHP Code Snippet: from n/a through <= 1.4.3. | |||||
| CVE-2025-12357 | 2025-11-04 | N/A | 8.3 HIGH | ||
| By manipulating the Signal Level Attenuation Characterization (SLAC) protocol with spoofed measurements, an attacker can stage a man-in-the-middle attack between an electric vehicle and chargers that comply with the ISO 15118-2 part. This vulnerability may be exploitable wirelessly, within close proximity, via electromagnetic induction. | |||||
| CVE-2025-12606 | 2025-11-04 | 7.5 HIGH | 7.3 HIGH | ||
| A vulnerability was determined in itsourcecode Online Loan Management System 1.0. This issue affects some unknown processing of the file /manage_borrower.php. This manipulation of the argument ID causes sql injection. Remote exploitation of the attack is possible. The exploit has been publicly disclosed and may be utilized. | |||||
| CVE-2025-12175 | 2025-11-04 | N/A | 4.3 MEDIUM | ||
| The The Events Calendar plugin for WordPress is vulnerable to unauthorized access due to a missing capability check on the 'tec_qr_code_modal' AJAX endpoint in all versions up to, and including, 6.15.9. This makes it possible for authenticated attackers, with Subscriber-level access and above, to view draft event names and generate/view QR codes for them. | |||||
| CVE-2025-48396 | 2025-11-04 | N/A | 8.3 HIGH | ||
| Arbitrary code execution is possible due to improper validation of the file upload functionality in Eaton BLSS. This security issue has been fixed in the latest script patch latest version of of Eaton BLSS (7.3.0.SCP004). | |||||
| CVE-2025-35021 | 2025-11-04 | N/A | 6.5 MEDIUM | ||
| By failing to authenticate three times to an unconfigured Abilis CPX device via SSH, an attacker can login to a restricted shell on the fourth attempt, and from there, relay connections. | |||||
| CVE-2025-36249 | 2025-11-04 | N/A | 3.7 LOW | ||
| IBM Jazz for Service Management 1.1.3.0 through 1.1.3.25 does not set the secure attribute on authorization tokens or session cookies. Attackers may be able to get the cookie values by sending a http:// link to a user or by planting this link in a site the user goes to. The cookie will be sent to the insecure link and the attacker can then obtain the cookie value by snooping the traffic. | |||||
| CVE-2025-12608 | 2025-11-04 | 7.5 HIGH | 7.3 HIGH | ||
| A security flaw has been discovered in itsourcecode Online Loan Management System 1.0. The affected element is an unknown function of the file /manage_user.php. Performing manipulation of the argument ID results in sql injection. The attack is possible to be carried out remotely. The exploit has been released to the public and may be exploited. | |||||
| CVE-2025-64387 | 2025-11-04 | N/A | N/A | ||
| The web application is vulnerable to a so-called ‘clickjacking’ attack. In this type of attack, the vulnerable page is inserted into a page controlled by the attacker in order to deceive the victim. This deception can range from making the victim click on a button to making them enter their login credentials in a form that, a priori, appears legitimate. | |||||
| CVE-2025-12460 | 2025-11-04 | N/A | N/A | ||
| An XSS issue was discovered in Afterlogic Aurora webmail version 9.8.3 and below. An attacker can send a specially crafted HTML e-mail message with JavaScript in an img HTML tag. This could allow a remote attacker to load arbitrary JavaScript code in the context of a webmail user's browser window, and access user data. | |||||
| CVE-2025-6988 | 2025-11-04 | N/A | 6.4 MEDIUM | ||
| The kallyas theme for WordPress is vulnerable to Stored Cross-Site Scripting via several of the plugin's shortcodes in all versions up to, and including, 4.23.0 due to insufficient input sanitization and output escaping on user supplied attributes. This makes it possible for authenticated attackers, with contributor-level access and above, to inject arbitrary web scripts in pages that will execute whenever a user accesses an injected page. | |||||
| CVE-2025-12552 | 2025-11-04 | N/A | N/A | ||
| Insufficient Password Policy.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | |||||
| CVE-2025-11602 | 2025-11-04 | N/A | N/A | ||
| Potential information leak in bolt protocol handshake in Neo4j Enterprise and Community editions allows attacker to obtain one byte of information from previous connections. The attacker has no control over the information leaked in server responses. | |||||
| CVE-2025-40603 | 2025-11-04 | N/A | 4.5 MEDIUM | ||
| A potential exposure of sensitive information in log files in SonicWall SMA100 Series appliances may allow a remote, authenticated administrator, under certain conditions to view partial users credential data. | |||||
| CVE-2025-12554 | 2025-11-04 | N/A | N/A | ||
| Missing Security Headers.This issue affects BLU-IC2: through 1.19.5; BLU-IC4: through 1.19.5. | |||||
| CVE-2025-62267 | 2025-11-04 | N/A | N/A | ||
| Multiple cross-site scripting (XSS) vulnerabilities in web content template’s select structure page in Liferay Portal 7.4.3.35 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, 7.4 update 35 through update 92 allow remote attackers to inject arbitrary web script or HTML via a crafted payload injected into a user’s (1) First Name, (2) Middle Name, or (3) Last Name text field. | |||||
| CVE-2025-62264 | 2025-11-04 | N/A | N/A | ||
| Reflected cross-site scripting (XSS) vulnerability in Languauge Override in Liferay Portal 7.4.3.8 through 7.4.3.111, and Liferay DXP 2023.Q4.0 through 2023.Q4.10, 2023.Q3.1 through 2023.Q3.10, and 7.4 update 4 through update 92 allows remote attackers to inject arbitrary web script or HTML via the `_com_liferay_portal_language_override_web_internal_portlet_PLOPortlet_selectedLanguageId` parameter. | |||||